{{#assign "s1"}}
BCrypt is a one way salted hash function based on the <a href="https://en.wikipedia.org/wiki/Blowfish_(cipher)">Blowfish cipher</a>. It provides several enhancements over plain text passwords (unfortunately this still happens quite often) and traditional hashing algorithms (md5). It wouldn't be accurate to say BCrypt is the best way to store passwords but it should be good enough. Algorithms such as [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) could be used as a more thoroughly tested algorithm but BCrypt is commonly used as well. `jBCrypt` is a Java implementation of BCrypt.

## BCrypt features
* **Not plain text** - Not only do plain text passwords compromise your website if the database is breached but they can also compromise other websites for the users. Unfortunately a lot of users share passwords across websites.
* **One way hashing** - BCrypt is a one way hash function to obfuscate the password such that it is not stored in plain text.
* **Salted hashing** - Generating random bytes (the salt) and combining it with the password before hashing creates unique hashes across each users password. If two users have the same password they will not have the same password hash. This is to prevent [rainbow table](https://en.wikipedia.org/wiki/Rainbow_table) attacks which can reverse hashed passwords using common hashing functions that do not utilize a salt.
* **Logarithmic iterations** - The hashing function is executed many times sequentially which can be increased exponentially known as [key stretching](https://en.wikipedia.org/wiki/Key_stretching). This is to make the function CPU intensive which makes it more secure against brute force attacks.
* **Updatable iterations** - As CPUs become faster so do brute force attacks. Since BCrypt stores the number of iterations as part of the hash it's possible to verify a password and then increase its strength by generating a new hash with a higher number of iterations.

{{> templates/src/widgets/code/code-snippet file=bcrypt section=bcrypt.sections.UpdatableBCrypt}}


## jBCrypt Example Wrapper.
We will be wrapping the standard `jBCrypt` with our own methods to allow auto updating the iterations on the fly.
{{/assign}}
{{md s1}}

{{#assign "s2"}}
## Static Hashing Utility Class
Let's make a static utility class to handle everything for us. Ideally we will periodically update the number of iterations in this class based on the recommended intervals.
{{/assign}}
{{md s2}}
{{> templates/src/widgets/code/code-snippet file=hashing section=hashing.sections.bcrypt}}

{{#assign "s3"}}
## BCrypt Java Example with Updatable Iterations
Putting it all together.
{{/assign}}
{{md s3}}
{{> templates/src/widgets/code/code-snippet file=hashing section=hashing.sections.bcryptMain}}
{{#assign "s4"}}
Notice how the first and second password are the same but the hashes are different. We are also able to upgrade an older version of a BCrypt password using a low number of iterations to a higher number on the fly. In the real world the passed in `Function` would be updating the database.
{{/assign}}
{{md s4}}
<pre class="line-numbers"><code class="language-bash">2017-08-02 01:07:38.757 [main] DEBUG com.stubbornjava.common.Hashing - hash of pw1: $2a$11$MXOOO1JYngri2arcL6Cic.KuBujhqgz.B2ri6szqN2/cfsdiQa7se
2017-08-02 01:07:38.936 [main] DEBUG com.stubbornjava.common.Hashing - verifying pw1: true
2017-08-02 01:07:39.108 [main] DEBUG com.stubbornjava.common.Hashing - verifying pw1 fails: false
2017-08-02 01:07:39.284 [main] DEBUG com.stubbornjava.common.Hashing - hash of pw2: $2a$11$TckEYxY/0DPf6OfpQhXKP./hl45UlgXYs0jQFsZZCwBEjUCo7bUKy
2017-08-02 01:07:39.466 [main] DEBUG com.stubbornjava.common.Hashing - verifying pw2: true
2017-08-02 01:07:39.647 [main] DEBUG com.stubbornjava.common.Hashing - verifying pw2 fails: false
2017-08-02 01:07:39.660 [main] DEBUG com.stubbornjava.common.Hashing - hash of oldHash: $2a$07$LMVTcMYGZZ6ORi4oPUGPAe3v8Kqpl.UCzKO2s8yfFN6c9vfM4szKW
2017-08-02 01:07:39.671 [main] DEBUG c.s.common.UpdatableBCrypt - Updating password from 7 rounds to 11
2017-08-02 01:07:39.848 [main] DEBUG com.stubbornjava.common.Hashing - verifying oldHash: true, hash upgraded to: $2a$11$1MvimUN3YO4G9DGY8G7rqOyPIjyye7jMYdIu8/BXL7t.e9CECj5Oa</code></pre>
